Commit 56cc0242 authored by wm4's avatar wm4 Committed by Michael Niedermayer

avformat/mpc8: fix hang with fuzzed file

This can lead to an endless loop by seeking back a few bytes after each
attempted chunk read. Assuming negative sizes are always invalid, this
is easy to fix. Other code in this demuxer treats negative sizes as
invalid as well.

Fixes ticket #4262.
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent e93d3a22
...@@ -223,6 +223,10 @@ static int mpc8_read_header(AVFormatContext *s) ...@@ -223,6 +223,10 @@ static int mpc8_read_header(AVFormatContext *s)
while(!avio_feof(pb)){ while(!avio_feof(pb)){
pos = avio_tell(pb); pos = avio_tell(pb);
mpc8_get_chunk_header(pb, &tag, &size); mpc8_get_chunk_header(pb, &tag, &size);
if (size < 0) {
av_log(s, AV_LOG_ERROR, "Invalid chunk length\n");
return AVERROR_INVALIDDATA;
}
if(tag == TAG_STREAMHDR) if(tag == TAG_STREAMHDR)
break; break;
mpc8_handle_chunk(s, tag, pos, size); mpc8_handle_chunk(s, tag, pos, size);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment